Guard yourself from Firesheep and Wi-Fi snooping

The abundance of free/cheap and open Wi-Fi networks in restaurants, airports, offices and hotels is a great perk to the traveling user; it makes connectivity and remote access much easier than it used to be. But you need to be informed and understand the risks.
Unfortunately, most of those “Open” networks don’t employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that’s transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open.

Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be ‘sniffed’ by someone on the same network segment; that’s what Firesheep does automatically. With the cookie in hand, it’s simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites.

The solution

USE SSL/HTTPS only if the website supports it — is quite simple: after you connect, the site should keep your session secure using SSL or https. Some sites, including most banking sites, already do this. However, encryption requires more overhead and more server muscle, so many sites (Facebook, Twitter, etc.) only use it for the actual login. Gmail has an option to require https and has made it the default setting, but you should make sure that it’s enabled if you use Gmail (Google Apps has a similar feature). This also doesn’t necessarily help if you’re using an embedded browser in an iPhone or iPad app, where the URL is hard-coded.

Protecting yourself from Firesheep if you use Firefox or Chrome is possible with extensions like the EFF’s HTTPS Everywhere, Secure Sites or Force-TLS. These work by forcing a redirect to the secure version of a site, if it exists. The obvious problems with these solutions are: a) you have to install one for each browser (and we have not yet found one for Safari), and b) it only works if a secure version of the site exists.

Even better.

A) Don’t use open networks.
B) Use a SOCKS proxy and SSH tunnel.
C) Use a VPN.